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Abstract. Unsatisfiable cores (UCs) are a well established means for 
debugging in a declarative setting. Still, tools that perform automated 
extraction of UCs for LTL are scarce. Using resolution graphs to extract 
UCs is common in many domains. In this paper we show how to con- 
struct resolution graphs for temporal resolution as implemented in the 
temporal resolution-based solver TRP++ and how to use them to extract 
UCs for propositional LTL. We implement our method in TRP++, and we 
experimentally evaluate it. Source code of our tool is available. 

1 Introduction 

Motivation Unsatisfiable cores (UCs) are well established in formal verification, 
with important uses being debugging in a declarative setting (e.g., [BDTW93]) 
and avoiding the exploration of parts of a search space that can be known not 
to contain a solution for reasons "equivalent" to the reasons for previous failures 
(e.g., [CTVW03]). 

LTL (e.g., [Pnu77, Eme90]) and its relatives are important specification lan- 
guages for reactive systems (e.g., [EF06]). Experience in verification (e.g., [BB- 
DER01,Kup06]) as well as in synthesis (e.g., [BGJ + 07]) has lead to specifications 
themselves becoming objects of analysis. Consider two ways to examine a spec- 
ification <fi in LTL [PSC + 06]. First, one can ask whether a certain scenario <fi', 
also given as an LTL formula, is permitted by </>. That is the case iff <f> A </>' is 
satisfiable. Second, one can check whether <f> ensures a certain property </>" given 
in LTL. <fi" holds in (j> iff <fi A ~^(j>" is unsatisfiable. In the first case, if the scenario 
turns out not to be permitted by the specification, a UC can help to understand 
which parts of the specification and the scenario are responsible for that. In the 
second case a UC can show which parts of the specification imply the prop- 
erty. Moreover, if there are parts of the property that are not part of the UC, 
then those parts of the property could be strengthened without invalidating the 
property in the specification; i.e., the property is vacuously satisfied (e.g., [BB- 
DER01,KV03, AFF+03,FKSFV08,Kup06]). Despite this relevance interest in 
UCs for LTL has been somewhat limited (e.g., [CRST07, Schl2b, HH11]). In 
particular, publicly available tools that automatically extract fine-grained UCs 
for propositional LTL are scarce. 

Extracting UCs is often possible using any solver for the logic under con- 
sideration by weakening subformulas one by one and using the solver to test 



whether the weakened formula is still unsatisfiable (e.g., [SillO]). While that 
is simple to implement, repeated testing for preservation of unsatisfiability may 
impose a significant run time burden. Hence, it is interesting to investigate meth- 
ods to extract UCs from a single run of a solver. Extracting UCs from resolu- 
tion graphs is common in propositional SAT (e.g., [GN03, ZM03a]). A resolution 
method (e.g., [BG01,Rob65]) for LTL, temporal resolution (TR), was suggested 
by Fisher [Fis91, FDP01] and implemented in TRP++ [HK04,HK03,trp]. 

Contributions In this paper we make the following contributions. 1. We construct 
resolution graphs for TR for propositional LTL as implemented in TRP++ [HK04, 
HK03,trp], and we show how to use them to extract UCs. 2. Wc implement our 
method in TRP++, and we experimentally evaluate it. We make the source code of 
our solver available. Conceptually, under the frequently legitimate assumption 
that a system description can be translated into an LTL formula, our results 
extend to vacuity for LTL [BBDER01.KV03, AFF+03,FKSFV08,Kup06]. 

Related Work In [CRST07] Cimatti et al. perform extraction of UCs for PSL to 
accelerate a PSL satisfiability solver by performing Boolean abstraction. Their 
notion of UCs is coarser than ours and their solver is based on BDDs and on 
SAT. An investigation of notions of UCs for LTL including the relation between 
UCs and vacuity is performed in [Schl2b]. No implementation or experimental 
results are reported, and TR is not considered. Hantry et al. suggest a method 
to extract UCs for LTL in a tableau-based solver [HH11]. No implementation or 
experiments are reported. Awad et al. [AGH+12] use tableaux to extract UCs 
in the context of synthesizing business process templates. The description of the 
method is sketchy and incomplete, the notion of UC appears to be one of a sub- 
set of a set of formulas, and no detailed experimental evaluation is carried out. 
In [CMT11] Cimatti et al. show how to prove and explain unfeasibility of mes- 
sage sequence charts for networks of hybrid automata. They consider a different 
specification language and use an SMT-based algorithm. Some work deals with 
unrealizable rather than unsatisfiable cores. [CRST08] handles specifications in 
GR(1), which is a proper subset of LTL. Konighofcr et al. present methods to 
help debugging unrealizable specifications by extracting unrealizable cores and 
simulating counterstrategies [KHB09] as well as performing error localization us- 
ing model-based diagnosis [KHB10]. Raman and Kress-Gazit [RKG11] present a 
tool that points out unrealizable cores in the context of robot control. [Schl2b] 
explores more fine-grained notions of unrealizable cores than [CRST08,KHB09]. 

Structure of the Paper Section 2 starts with preliminaries. TR and its clausal 
normal form SNF are introduced in Sec. 3. In Sec. 4 we describe the construc- 
tion of a resolution graph and its use to obtain a UC. The UCs obtained in 
Sec. 4 are lifted from SNF to LTL in Sec. 5. In Sec. 6 we provide examples that 
illustrate why these UCs are useful and how to obtain them. We discuss our 
implementation and experimental evaluation in Sec. 7. Section 8 concludes. Due 
to space constraints proofs are sketched or omitted. For a full version [Schl2a] of 
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this paper including proofs and for our implementation, examples, and log files 
see [pap]. 

2 Preliminaries 

We use a standard version of LTL, see, e.g., [Eme90]. Let B be the set of Booleans, 
and let AP be a finite set of atomic propositions. The set of LTL formulas is 
constructed inductively as follows. The Boolean constants (false), 1 (true) £ B 
and any atomic proposition p £ AP are LTL formulas. If tp, tp' are LTL formulas, 
so are ->ip (not), tpVtp' (or), tp Alp' (and), X.ip (next time), ipXJip' (until), tpUrp' 
(releases), Ftp (finally), and Gtp (globally). We use tp — > tp' (implies) as an 
abbreviation for —nji V tp'. 

3 Temporal Resolution (TR) 

In this section we describe TR [FDP01] as implemented in TRP++ [HK03,HK04, 
trp]. We first explain the clausal normal form TR is based on. In Sec. 3.2 we 
provide a concise description of TR as required for the purposes of this paper. 
In Sec. 3.3 we give some intuition on how TR works with a slant towards BDD- 
based symbolic model checking (e.g., [BCM+92, CGH97, CGP01]). We wish to 
emphasize that TR is an existing technique that has been developed since the 
early 1990s [Fis91]. Our contribution in this paper is an extension of TR that 
allows to extract UCs from a run of TRP++ on an unsatisfiablc LTL formula. 
Hence, while in this section we do our best to provide both a precise description 
of TR as well as some intuition on how it works, space constraints limit the 
extent of this description. Therefore, we refer readers interested in more details, 
a more extensive explanation, or correctness proofs of TR to [FDP01] for a 
general overview, to [Dix98, Dix97, Dix96, Dix95] for details on loop search, and 
to [HK03, HK04, trp] for the implementation in TRP++. 

3.1 Separated Normal Form (SNF) 

TR works on formulas in a clausal normal form called separated normal form 
(SNF) [Fis91, FN92, FDP01]. For any atomic proposition p £ AP p and ^p 
are literals. Let pi, . . . ,p n , qi,...,q n i, I with < n,n' be literals such that 
pi, . . . , p n and gi, . . . , q n > are pairwise different. Then 1. (pi V . . . V p n ) is an 
initial clause; 2. (G((pi V ... V p n ) V (X(gi V ... V q n ')))) is a global clause] and 
3. (G((pi V ... V p n ) V (F(Z)))) is an eventuality clause. I is called an eventuality 
literal. As usual an empty disjunction (resp. conjunction) stands for (resp. 1). 
() or (GQ), denoted □, stand for or G(0) and are called empty clause. The set 
of all SNF clauses is denoted C. Let ci, . . . , c„ with < n be SNF clauses. Then 
Ai<i<n c i ls an LTL formula in SNF. Every LTL formula <f> can be transformed 
into an equisatisfiable formula 4>' in SNF [FDP01]. 
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Table 1. Production rules used in TRP++. Let P = pi V . . . V p„, Q = qi V . . . V q n i , 
R ee n V . . . V r n n , and 5 = si V . . . V s n „, . 



3.2 TR in TRP++ 



The production rules of TRP++ are shown in Tab. 1. The 1st column assigns a 
name to a production rule. The 2nd and 4th columns list the premises. The 6th 
column gives the conclusion. Columns 3, 5, and 7 are described below. Columns 
8-10 become relevant only in later sections. 

Algorithm 1 provides a high level view of TR in TRP++ [HK04]. The algo- 
rithm takes a set of starting clauses C in SNF as input. It returns unsat if 
C is found to be unsatisfiable (by deriving □) and sat otherwise. Resolution 
between two initial or two global clauses or between an initial and a global 
clause is performed by a straightforward extension of prepositional resolution 
(e.g., [Rob65, FM09, BG01]). The corresponding production rules are listed un- 
der saturation in Tab. 1. Given a set of SNF clauses C we say that one saturates 
C if one applies these production rules to clauses in C until no new clauses are 
generated. Resolution between a set of initial and global clauses and an even- 
tuality clause with eventuality literal I requires finding a set of global clauses 
that allows to infer conditions under which XG^i holds. Such a set of clauses 
is called a loop in ->Z. Loop search involves all production rules in Tab. 1 except 
and 



stcp-nn 



stcp-nx 



In line 1 Alg. 1 initializes M with the set of starting clauses and terminates iff 
one of these is the empty clause. Then, in line 2, it saturates M (terminating iff 
the empty clause is generated). In line 3 it augments M by applying production 



rule augi to each eventuality clause in M and aug2 once per eventuality literal 
in M, where wl is a fresh proposition. This is followed by another round of 
saturation in line 4. From now on Alg. 1 alternates between searching for a loop 
for some eventuality clause c (lines 9-18) and saturating M if loop search has 
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Algorithm 1: LTL satisfiability checking via TR in TRP++. 



Input: A set of SNF clauses C. Output: Unsat if C is unsatisfiablc; sat otherwise. 

1 M <— C; if □ £ M then return unsat; 

2 saturate(M); if □ £ M then return unsat; 

3 augment ( M) ; 

4 saturatc(M) ; if □ £ M then return unsat; 

5 M' <- 0; 

6 while M' / M do 

7 M' <- M; 

8 for c £ C . c is an eventuality clause do 
C'^{D}; 
repeat 

initializc-BFS-loop-scarch-itcration(M, c, C', L); 
saturatc-stcp-xx(L); 
C <— {e G L | c has empty X part}; 

C" <- {(G(Q)) | (G((0) V (X(Q V I)))) e L generated by |BFS-ioo P -it-i^i^1 }; 
found 4— subsumes (C " , C7 ); 
until found or C' — 0; 
if found then 

Ldcrivc-BFS-loop-scarch-conclusions(c, C , Af); 
saturatc(Af ) ; if □ £ M then return unsat; 



20 return sat; 



generated new clauses (line 19). It terminates, if either the empty clause was 
derived (line 19) or if no new clauses were generated (line 20). 

Loop search for some eventuality clause c may take several iterations (lines 
15). Each loop search iteration uses saturation restricted to 



stcp-xx 



11 

subroutine (line 12). Therefore, each loop search iteration has its own set of 
clauses L in which it works. We call M and L partitions. Columns 3, 5, and 
7 in Tab. 1 indicate whether a premise (resp. conclusion) of a production rule 
is taken from (resp. put into) the main partition (M), the loop partition of 
the current loop search iteration (L), the loop partition of the previous loop 
search iteration (£'), or either of M or L as long as premises and conclusion 
are in the same partition (AIL). In line 11 partition L of a loop search iteration 
is initialized by applying production rule BFS-loop-it-init-x 

clause with non-empty X part in M, rule BFS-ioop-it-init-n 
clause with empty X part in M, and rule 



BFS-loop-it-init-c 



once to each global 
once to each global 
once to each global 

clause with empty X part in the partition of the previous loop search iteration 
L' . Notice that by construction at this point L contains only global clauses with 
non-empty X part. Then L is saturated using only rule stcp-xx I (line 12). A 
loop has been found iff each global clause with empty X part that was derived 
in the previous loop search iteration is subsumed by at least one global clause 
with empty X part that was derived in the current loop search iteration (lines 
13-15). Subsumption between a pair of clauses corresponds to an instance of 
production rule BFS-ioop-it-sub ; note, though, that this rule does not produce 
a new clause but records a relation between two clauses to be used later for 
extraction of a UC. Loop search for c terminates, if either a loop has been found 
or no clauses with empty X part were derived (line 16). If a loop has been found, 
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rules BFS-ioop-conciusioni and BFS-ioop-conciusion2 are applied once to each global 
clause with empty X part that was derived in the current loop search iteration 
(line 18) to obtain the loop search conclusions for the main partition. 



3.3 TR — Some Intuition 

The following explanation is partly based on the correctness proofs used in TR 
(e.g., [FDP01, Dix95]). At various points we draw parallels to BDD-based sym- 
bolic model checking (below shortened to "model checking"; e.g., [BCM+92, 
CGH97,CGP01]). 

Transition Systems Given a set of atomic propositions AP a transition system 
G = (V, E, I) is a directed graph with a finite set of vertices V C 2 AP , a set of 
directed edges E C V x V, and a set of initial vertices / C V. A set of SNF 
clauses C induces a transition system as follows. C is partitioned into the 3 sets 
of initial clauses, global clauses with empty X part, and global clauses with non- 
empty X part (eventuality clauses are ignored). The set of vertices V is given by 
those valuations of AP that fulfill the bodies of the global clauses with empty 
X part. The set of edges is given by those pairs of vertices that fulfill the bodies 
of the global clauses with non-empty X part. The set of initial vertices is the 
subset of vertices that fulfill the initial clauses. Note that not all vertices may 
be reachable from an initial vertex. Given a set of SNF clauses C it is easy to 
see that its induced transition system contains an initialized infinite path that 
fulfills the eventuality clauses in C if and only if C is satisfiable. 



Saturation Saturation adds clauses to a set of SNF clauses G such that the 
resulting induced transition system G' is restricted to those vertices of G that 
are the start of an infinite path in G. Resolution within each of the sets of initial 
clauses (| init-ii ]), global clauses with empty X part ([ stcp-nn 1), and global clauses 



with non-empty X part ( stcp-xx ) — provided the result has a non-empty X 
part — induce the same transition system before and after such resolution. The 
same is true for resolution between a global clause with empty X part and a 



global clause with non-empty X part ( 



stcp-nx 



) that results in a global clause 



with non-empty X part as well as for resolution between an initial clause and a 
global clause with empty X part (| init-in |). Note that while such resolution does 
not lead to a change in the induced transition system, these resolutions serve 2 
purposes: 1. to generate clauses that are needed as input for resolution that does 
lead to a change in the induced transition system and 2. to generate the empty 
clause as a sign for unsatisfiability. Resolution between two global clauses with 
non-empty X part ( step-xx ]) that results in a global clause with empty X part c 
may induce different transition systems before and after such resolution: before 
resolution is carried out, the induced transition system may have vertices not 
fulfilling the body of c, albeit with no outgoing edges; after resolution is carried 
out, the induced transition system will have no such vertices. This is also true 
for resolution between a global clause with empty X part and a global clause 
with non-empty X part ( stcp-nx 1) that results in a global clause with empty 
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X part. As propositional resolution is complete and the above resolution steps 
are carried out until no new clauses are generated, at that point the induced 
transition system contains only vertices that are the start of an infinite path 
as stated above. This is somewhat comparable to model checking pruning a 
transition system to the set of vertices that are the start of an infinite path by 
repeatedly computing a backward image for a set of vertices and intersecting 
with that set of vertices until a fixed point is reached; note though, that model 
checking tends to proceed in a breadth-first manner, while TR is more flexible. 

BFS Loop Search Given a set of SNF clauses C with an eventuality clause 
(G((P) V (F(i)))) BFS loop search adds clauses to C that remove those vertices 
from the induced transition system that do not fulfill P but cannot reach a vertex 
that fulfills I. Assume an eventuality clause (G((P) V (F(/)))). The first iteration 
of a BFS loop search for a loop in ->Z produces global clauses with empty X part 
whose body is fulfilled by those vertices in the induced transition system G that 
can reach a vertex in G that fulfills I in one step. The second iteration extends 
that to one or two steps. This continues until a fixed point is reached where the 
bodies of the produced global clauses with empty X part are fulfilled by those 
vertices in the induced transition system G that can reach a vertex in G that 
fulfills / in one or more steps. The loop search conclusions then combine this new 
information with P and wl. In model checking the computation of vertices that 
can reach / in one or more steps by repeated computation of backward images 
is very similar; note, though, that in typical model checking with Buchi fairness 
(e.g., [BCM+92,CGH97,CGP01]) P and wl are not present. 

High Level View In App. A we turn the above discussion into a high level view of 
TR in TRP++ and we discuss the relation to cycle detection algorithms in model 
checking. 

4 UC Extraction 

In this section we describe, given an unsatisfiable set of SNF clauses C, how to 
obtain a subset of C, C uc , that is by itself unsatisfiable from an execution of 
Alg. 1 . The general idea of the construction is unsurprising in that during the 
execution of Alg. 1 a resolution graph is built that records which clauses were 
used to generate other clauses (Def. 1). Then the resolution graph is traversed 
backwards from the empty clause to find the subset of C that was actually used 
to prove unsatisfiability (Def. 2). The main concern of Def. 1, 2, and their proof 
of correctness in Thm. 1 is therefore that /why certain parts of the TR proof do 
not need to be taken into account when determining C uc . 

Definition 1 (Resolution Graph). A resolution graph G is a directed graph 
consisting of 1. a set of vertices V, 2. a set of directed edges E C V x V , 3. a 
labeling of vertices with SNF clauses Ly '■ V — > C, and 4- a partitioning Q v of 
the set of vertices V into one main partition M v and one partition Lf for each 
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BFS loop search iteration: Q v : V = M v l±l L% l±l . . . W L% . Let C be a set of 
SNF clauses. During an execution of Alg. 1 with input C a resolution graph G 
is constructed as follows. 

In line 1 G is initialized: 1. V contains one vertex v per clause c in C: 
V = {v c | c € C}, 2. E is empty: E = 0, 3. each vertex is labeled with the 
corresponding clause: Ly : V — >■ C,Ly(v c ) = c, and 4- the partitioning Q v 
contains only the main partition M , which contains all vertices: Q v : M v = V . 

Whenever a new BFS loop search iteration is entered (line 11), a new parti- 
tion LY is created and added to Q v . For each application of a production rule 
from Tab. 1 that either generates a new clause in partition M or L or is the first 



application of rule BFS-ioop-it-sub to clause c" in C" in line 15: 1. if column 10 



(Vt. c) of Tab. 1 contains ^ , then a new vertex v is created for the conclusion 
c (which is a new clause), labeled with c, and put into partition M v or Lj ; 
2. if column 8 ( p.l — c) (resp. column 9 ( p. 2 - c)) contains ^ , then an edge is 
created from the vertex labeled with premise 1 (resp. premise 2) in partition M v 
or Lj to the vertex labeled with the conclusion in partition M v or Lj ■ 

Definition 2 (UC in SNF). Let C be a set of SNF clauses to which Alg. 1 has 
been applied and shown unsatisfiability, let G be the resolution graph, and let Vu 
be the ( unique ) vertex in the main partition M v of the resolution graph G labeled 
with the empty clause □ . Let G' be the smallest subgraph of G that contains Va 
and all vertices in G (and the corresponding edges) that are backward reachable 
from va- The UC of C in SNF, C uc , is the subset of C such that there exists 
a vertex v in the subgraph G' , labeled with c G C , and contained in the main 
partition M v of G: C uc = {c G C | 3v e V G > . L v (v) = c A v G M v }. 

Theorem 1 (Unsatisfiability of UC in SNF). Let C be a set of SNF clauses 
to which Alg. 1 has been applied and shown unsatisfiability, and let C uc be the 
UC ofC in SNF. Then C uc is unsat. 

Assume for a moment that in columns 8 (p.l - c) and 9 (p. 2 - c) of Tab. 1 
all X are replaced with i.e., that each conclusion in the resolution graph is 
connected by an edge to each of its premises rather than only to a subset of 
them. In that case the UC in SNF according to Def. 2 would contain all clauses 
of the set of starting clauses C that contributed to deriving the empty clause and, 
hence, to establishing unsatisfiability of C. In that case it would follow directly 
from the correctness of TR that C uc is unsatisfiable. In the proof (see App. B) it 
remains to show that not including an edge 1. from premise 1 to the conclusion 



for rule aug2 , 2. from premise 2 to the conclusion for rule 



BFS-loop-conclusion2 



3. from premise 2 to the conclusion for rule BFS-ioop-it-init-c , and 4. from premise 



1 to the conclusion for rule BFS-ioop-it-init-c in the resolution graph G maintains 



the fact that the resulting C wc is unsatisfiable. 

By taking the fact that each vertex in the resolution graph has at most 2 
incoming edges into account, the first part of the following Prop. 1 is immediate 
from Def. 1 and 2. The second part is obtained by bounding the number of 
1. different clauses in each partition, 2. iterations in each loop search by the 
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Table 2. Translation from LTL to SNF. 



length of the longest monotonically increasing sequence of Boolean formulas over 
AP, and 3. loop searches by the number of different loop search conclusions. 

Proposition 1 (Complexity of UC Extraction). Let C be a set of SNF 

clauses to which Alg. 1 is applied and shows wnsatisfiability. Construction and 
backward traversal of the resolution graph and, hence, construction of C uc ac- 
cording to Def. 2 can be performed in time 0{\V\) in addition to the time required 
to run Alg. 1. \V\ is at most exponential in \AP\ + log(\C\) . 

5 From LTL to SNF and Back 

We use a structure-preserving translation to translate an LTL formula into a set 
of SNF clauses, which slightly differs from the translation suggested in [FDP01]. 
It is well known that <f> and SNF(4>) according to Def. 3 are equisatisfiable and 
that a satisfying assignment for <f> (resp. SNF(cf))) can be extended (resp. re- 
stricted) to a satisfying assignment of SNF(c/>) (resp. 4>). 

Definition 3 (Translation from LTL to SNF). Let <fr be an LTL formula 
over atomic propositions AP, and let X = {x,x f , . . .} be a set of fresh atomic 
propositions not in AP. Assign each occurrence of a subformula ip in <fi a Boolean 
value or a proposition according to col. 2 of Tab. 2, which is used to reference 
ip in the SNF clauses for its superformula. Moreover, assign each occurrence of 
ip a set of SNF clauses according to col. 3 or 4 of Tab. 2. Let SNF aux ((p) be the 
set of all SNF clauses obtained from <fi that way. Then the SNF of <p is defined 
as SNF(<f>) = Xff, A A ceS NF aul (<p) c - 

In the following Def. 4 we describe how to map a UC in SNF back to a UC 
in LTL. The main idea in its proof of correctness (Thm. 2) is to compare the 
SNF of (p and <p uc by partitioning the SNF clauses into three sets: one that is 
shared by the two SNFs, one that replaces some occurrences of propositions in 
SNF(4>) with 1 or 0, and one whose clauses are only in SNF(<p). Then one can 
show that the UC of <p m SNF must be contained in the first partition. 
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Definition 4 (Mapping a UC in SNF to a UC in LTL). Let <j) be an 

unsatisfiable LTL formula, let SNF(4>) be its SNF, and let C uc be the UC of 
SNF(<f>) in SNF. Then the UC of <p in LTL 7 4> uc , is obtained as follows. For 
each positive (resp. negative) polarity occurrence of a proper subformula tp of 
<f> with proposition x^, according to Tab. 2, replace ip in cj> with 1 (resp. 0) iff 
C uc contains no clause with an occurrence of proposition that is marked 
\blue boxed\ in Tab. 2. (We are sloppy in that we "replace" subformulas of replaced 
subformulas, while in effect they simply vanish.) 



Theorem 2 (Unsatisfiability of UC in LTL). Let cf> be an unsatisfiable LTL 
formula, and let 4> uc be the UC of <f> in LTL. Then (j) uc is unsat. 



Remark 1. In Def. 10 of [Schl2b] a UC of an unsatisfiable formula in LTL is 
obtained by replacing some occurrences of positive polarity subformulas with 1 
and some occurrences of negative polarity subformulas with while maintaining 
unsatisfiability By construction in Def. 4 and with Thm. 2 it is immediate that 
a UC in LTL according to Def. 4 above is a UC according to Def. 10 of [Schl2b]. 



6 Examples 



In this section we first present examples of using UCs for LTL to help under- 
standing a specification given in LTL. Then we show an example of TR with the 
corresponding resolution graph and UC extraction in SNF. 



Using UCs in LTL to Help Understanding LTL Specifications We start with a 
toy example and then proceed to a more realistic one. Except for minor rewriting, 
all UCs in this section were obtained with our implementation. The first example 
(la)-(lc) is based on [JB06]. We would like to see whether a req (request) can 
be issued (Id). This is impossible, as (la) requires a req to be followed by 3 gnts 
(grant), whereas (lb) forbids two subsequent gnts. The UC in (2) clearly shows 
this. 



A Silt Z W ^^"^ A (XXX9Kt)))) (0(re q - ((X 9 „*) A (XX 9 „*)))) (2a) 

A (G(cancel -y X((-. 9 nt)U ff o))) (lc) ^ y ;; ) ' 

A (Freq) (Id) A (tTeq> W 



The 2nd example (3) is adapted from a lift specification in [Har05] (we used 
a somewhat similar example in [Schl2b]). The lift has two floors, indicated by 
fo and f\. On each floor there is a button to call the lift (bo, bi). sb is 1 if some 
button is pressed. If the lift moves up, then up must be 1; if it moves down, then 
up must be 0. u switches turns between actions by users of the lift (u is 1) and 
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actions by the lift (u is 0). For a more detailed explanation we refer to [Har05]. 



(-.«) A (/„) A (-.60) A (-bi) A (-.tip) (3a) 

A (G((u -y nXu) A ((-Xu) -y «))) (3b) 

A (G(/ -y (3c) 

A (G((/ -y X(/ V /0) A (h -y X(/ V A)))) (3d) 

A (G(u -y ((/o -y X/ ) A ((X/o) -y /o) A (/! -y X/i) A ((X/i) -> /1)))) (3c) 

A (G(((-«) -y ((bo -y Xb ) A ((X6 ) -> bo) A (61 -y Xbi) A ((X61) -J- 61))))) (3f) 

A (G(((b A -./o) -y Xb ) A ((61 A -A) -y X61))) (3g) 

A (G((/ A X/o) -y ((up -y Xup) A ((Xup) -y up)))) (3h) 

A (G((/i A X/i) -4- ((up -4- Xup) A ((Xup) -y up)))) (3i) 

A (G(((/ A X/O -y up) A ((/1 A X/o) -> -up))) (3j) 

A (G((sb -y (b V 60) A ((b V bO -4- sb))) (3k) 

A (G(((/ A -sb) -y (/oU(sbR((F/ ) A (-up)))))) (31) 

A (G(((/i A -sb) -y (/iU(sbR((F/ ) A (-up)))))) (3m) 

A (G((b -y F/ ) A (61 -y F/i))) (3n) 



We first assume that an engineer is interested in seeing whether it is possible 
that bi is continuously pressed (4). As the UC (5) shows, this is impossible as 
bi must be at the beginning. 

Gbi (4) (-bi)AGbi (5) 

Now the engineer modifies her query such that b\ is pressed only from time 
point 1 on (6). As shown by the UC in (7) that turns out to be impossible, too. 

XGbi (6) (-.«) A ((-61) A ((G((-u) -y ((Xbi) -y bi))) A (XG61))) (7) 

The engineer now tries to have b\ pressed only from time point 2 on and, 
again, obtains a UC. She becomes suspicious and checks whether b\ can be 
pressed at all (8). She now sees that b\ cannot be pressed at all and, there- 
fore, this specification of a lift must contain a bug. She can now use the UC in 
(9a)-(9f) to track down the problem. This example illustrates the use of UCs for 
debugging, as (9a)-(9f) is significantly smaller than (3). 

(/o) A (— bi) A (—up) (9a) 
, ;p„ , f \\ /ql. A (G((/ A X/i) -y up)) (9c) 

/on A t.(/ -y -./i)J (9b) rr>rl ,i.<n ) Q n 

A (G((/ A X/o) -y ((Xup) -y up))) (9d) ^ i0lJ) lygj 



Ti?, Resolution Graph, and UC Extraction In Fig. 1 we show an example of 
an execution of the TR algorithm with the corresponding resolution graph and 
UC extraction in SNF. The set of starting clauses C to be solved is G(a V -.&), 
G(a V 6 V X(a V 6)), G((-.a) V Xa), G((-.a) V F^a), shown in the first row from 
the bottom in the rectangle shaded in light red. In Fig. 1 TR generally proceeds 
from bottom to top; in the top right corner the empty clause □ is generated, indi- 
cating unsatisfiability. Clauses are connected with directed edges from premises 
to conclusions according to columns 8, 9 in Tab. 1. Edges are labeled with pro- 
duction rules, where "BFS-loop" is abbreviated to "loop", "init" to "i", and 
"conclusion" to "cone" . Saturation in line 2 of Alg. 1 produces G(a V b V Xa) in 
the 2nd row from the bottom. 1 The other 2 clauses in that row are generated by 

1 While it may seem that some clauses are not considered for loop initialization 
or saturation, this is due to either subsumption of one clause by another (e.g., 
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augmentation (line 3) . The following saturation (line 4) produces no new clauses. 
The dark green shaded rectangle is the loop partition for the first loop search 
iteration. Row 3 contains the clauses obtained by initialization of the BFS loop 
search iteration (line 11). Row 4 then contains the clauses generated from those 
in row 3 by saturation restricted to stcp-xx (line 12). The subsumption test fails 



in this iteration, as none of the clauses in row 4 subsumes the empty clause (lines 
13-15). The light green shaded rectangle is the loop partition for the next loop 
search iteration. Row 5 contains the clauses obtained by initialization and row 6 
those obtained from them by restricted saturation. This time the subsumption 
test succeeds, and the loop search conclusions are shown in row 7 (line 18). Fi- 
nally, row 8 contains the derivation of the empty clause □ via saturation (line 
19). The thick, dotted, blue clauses and edges show the part of the resolution 
graph that is backward reachable from □. As all starting clauses in C are back- 
ward reachable from □, the UC of C in SNF is C (note that this example serves 
to illustrate the mechanism rather than the benefit of UC extraction) . 



7 Experimental Evaluation 

Our implementation, examples, and log files are available from [pap]. 

Implementation In a recent experimental evaluation of solvers for satisfiability 
of propositional LTL [SD11] TRP++ proved to be competitive. It is available as 
source code [trp] . We therefore chose TRP++ as the basis for our implementation. 
TRP++ provides a translation from LTL to SNF via an external tool. To facilitate 
tracing a UC in SNF back to the input formula in LTL we implemented a 
translator from LTL to SNF inside TRP++, which reimplements ideas from the 
external translator. We used parts of TSPASS [LH10] for our implementation. For 
data structures we used C++ STL containers, for graph operations the Boost 
Graph Library [boo]. 

Benchmarks Our examples are based on [SD11]. In categories crafted and 
random and in family forobots we considered all unsatisfiable instances from 
[SD11]. The version of alaska lift used here contains a small bug fix: in [WDMR08, 
SD11] the subformula Xit was erroneously written as literal Xu. Combining 
2 variants of alaska_lift with 3 different scenarios we obtain 6 subfamilies of 
alaska.lift. For anzu.genbuf we invented 3 scenarios to obtain 3 subfamilies. 
For all benchmark families that consist of a sequence of instances of increasing 
difficulty we stopped after two instances that could not be solved due to time 
or memory out. Some instances were simplified to during the translation from 
LTL to SNF; these instances were discarded. In Tab. 3 we give an overview of 
the benchmark families. Columns 1-3 give the category, name, and the source 

G(a V b V X(a V b)) by G(aVi)VXa)) or the fact that TRP++ uses ordered reso- 
lution (e.g., G(a V bV Xa) with G(n«vX((na) V wa)); [HK03, BG01]). Both are 
issues of completeness of TR and, therefore, not discussed in this paper. 
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Fig. 1. Example of an execution of the TR algorithm with corresponding resolution 
graph and UC extraction in SNF. 

of the family. Columns 4, 5 list the numbers of instances that were solved by 
our implementation without UC extraction and with UC extraction. Column 6 
indicates the size (number of nodes in the syntax tree) of the largest instance 
solved without UC extraction. 

Setup The experiments were performed on a laptop with Intel Core i7 M 620 
processor at 2 GHz running Ubuntu 10.04. Run time and memory usage were 
measured with run [BJ]. The time and memory limits were 600 seconds and 6 
GB. 

Results In Fig. 2 (a) and (b) we show the overhead that is incurred by extracting 
UCs. An analysis by category (plots see App. D) shows that the overhead for 
instances of the application category, except for 2 that time out, is at most 
100 %. In Fig. 2 (c) we compare the sizes of the input formulas with the sizes 
of their UCs. Separate plots by category (see App. D) indicate that instances of 
the application category are reduced comparatively well. 
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family 




# sob 
no UC 


-cd 
UC 


|largcst solvcd| 


application 


alaska_lift 




[Har05, WDMR08] 


73 


71 


4605 


anzu.genb uf 




[BGJ+07] 


16 


16 


2676 


forobots 




[BDF09] 


25 


25 


635 


crafted 


schuppan.0 1 form 


Ula 


[SD11] 


21 


21 


1606 


schuppan_02form 


ula 


[SD11] 


8 


8 


91 


schuppan.phltl 




[SD11] 


4 


4 


125 








[RV10] 


66 


66 


157 


trp 




[HS02] 


397 


397 


1421 



Table 3. Overview of benchmark families. 



1 000 5000 



j I formula [# nodesl 



(a) run time [seconds] (b) memory [GB] (c) size nodes] 

Fig. 2. (a) and (b): overhead incurred by UC extraction in terms of run time (in 
seconds) and memory (in GB) with no UC extraction on the x-axis and UC extraction 
on the y-axis. The off-center diagonal shows where y = 2x. (c): size reduction obtained 
by UC extraction. The x-axis shows the sizes of the input formulas, the y-axis shows 
the sizes of the UCs. Size is measured as the number of nodes in the syntax trees. 



Discussion Our data show that extraction of UCs is possible with quite accept- 
able overhead in run time and memory usage (Fig. 2 (a), (b)). In particular, out 
of the 746 instances we considered with UC extraction disabled, 44 were simpli- 
fied to in the translation to SNF, 610 were shown to be unsatisfiable by TR, 
and 92 remained unsolved. Enabling UC extraction results in 2 time or memory 
outs out of 610 instances. The resulting UCs are often significantly smaller than 
the input formula (Fig. 2 (c)). 

8 Conclusions 

In this paper we showed how to obtain UCs for LTL via temporal resolution, 
and we demonstrated with an implementation in TRP++ that UC extraction can 
be performed efficiently. The resulting UCs are significantly smaller than the 
corresponding input formulas. The similarity of temporal resolution and BDD- 
based algorithms at a high level (Sec. 3, App. A) and work on resolution with 
BDDs ( [JSB06]) suggests to explore whether computation of UCs is feasible for 
BDD-bascd algorithms. Another direction for transfer of our results is resolution- 
based computation of unrealizable cores [Noe95]. An immediate possibility to 
optimize the UCs we obtain is minimization by repeating extraction of UCs until 
a fixed point is reached and subsequent attempts to delete remaining clauses 
[ZM03b]. 
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A TR — A High Level View 



In Alg. 2 we turn the discussion in Sec. 3.3 into a high level view of TR in 
TRP++. At the right hand side of Alg. 2 we show the corresponding line(s) in 
Alg. 1. When we write "Restrict G to the set of vertices V" , we mean that V 
is intersected with V , E with V x V', and / with V . 



Algorithm 2 '. High level view of LTL satisfiability checking via TR in TRP++. 
Input: A set of SNF clauses G. 

Output: Unsat if G is unsatisfiablc; sat otherwise. 

1 if C contains the empty clause then return unsat; 

2 Let G — (V, E, I) be the transition system induced by G; 

3 Restrict G to the set of vertices that are the start of an infinite path; 

4 if / is empty then return unsat; 

5 for c £ G . c — (G((P) V (F(Z)))) is an eventuality clause in G do 
Restrict G to the set of vertices that fulfill (P V I V w I): 
Restrict E to the set of edges that fulfill ((->ioZ) V X(Z V wl))\ 

8 Restrict G to the set of vertices that are the start of an infinite path; 

9 if / is empty then return unsat; 
10 G' <- (0,0,0); 

n while G f j£ G do 

12 G' i- G; 

13 for c £ G . c — (G((P) V (F(Z)))) is an eventuality clause in G do 
V" <— {v £ V | a successor of v can reach a vertex v' in which I holds}; 
if V" ^ 2 AP then 

Restrict G to the set of vertices that fulfill (P V I V V")\ 
Restrict E to the set of edges that fulfill ((->wl) V X(Z V V"))\ 
Restrict G to the set of vertices that are the start of an infinite path; 
if / is empty then return unsat; 
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20 return sat; 



// 20 



In model checking a number of works investigated cycle detection algorithms 
(e.g., [FFK+01,RBS00,HKSV01,HTKB92,EL86]). While the high level algo- 
rithm above is not identical to any of those, it is somewhat similar to the variant 
of the One- Way-Catch-Them- Young (OWCTY) algorithm mentioned in footnote 
4 of [FFK+01]. In particular, it proceeds in backward direction (e.g., [HKQ03]), 
it uses CTY style pruning (lines 3, 8, 18; [HKSV01]), and the pruning happens in 
each iteration over the eventuality clauses (resp. fair sets). However, the initial 
pruning (line 3 or 8) is not present in that algorithm in [FFK+01]. 



B Proofs: 4 UC Extraction 

Lemma 1. Let C be a set of SNF clauses to which Alg. 1 has been applied 
and shown unsatisfiability, let G be the resolution graph, and let G' the sub- 
graph according to Def. 2. Let v be a vertex in G' labeled with a clause c = 



(G((^wl) V (X(Z V wl)))) created by augmentation aug2 from some eventuality 



clause (G((pi V ... V p n ) V (F(l)))) £ C with eventuality literal I. Then there is a 
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vertexv' in G' labeled with an eventuality clause d = (G((q\ V ... V q n >) V (F(Z)))) 
G C with eventuality literal I. 

Proof. There exists a path tt of non-zero length in G' from v to the unique vertex 
v n in the main partition M labeled with the empty clause □. On the path tt there 
exist two vertices v",v"' such that v" is labeled with a clause c" that contains 
-^wl or X^wZ, while v'" and all of its successors on tt are labeled with clauses 
that contain neither -vwl nor X-itoL Let d" be the clause labeling v'" . 



Case 1. 



c 



stcp-nx , Or 



is generated by initial or step resolution [ init-ii 
and some other clause c"" . 



stcp-nn 



step- xx 



from c" and some other clause c"". c"" must contain wl 
or XujI. Moreover, there must be a path tt' (possibly of zero length) that 
starts from a vertex v'"" labeled with a clause c'"" and that ends in the 
vertex v"" labeled with c"", such that each vertex on the path tt' is labeled 
with a clause that contains wl or XwL Finally wl or Xw( must be present 
in d"" either because c'"" is contained in the set of input clauses in SNF, C, 
or because c'"" is generated by some production rule that introduces wl or 
Xu>? in the conclusion. 

Case 1.1. c'"" is contained in the set of input clauses in SNF, C. Impossible: 



wl is a fresh proposition in 



augl 



and au g 2 



Case 1.2. d"" is generated by initial or step resolution [ init-ii L init-iii 



stcp-nn 




stcp-nx 


, or 


step-xx 



Impossible: initial and step resolution do 
not generate literals that are not contained (modulo time-shifting) in at 
least one of the premises. 
Case 1.3. d"" is generated by augmentation 1 augi I. By construction 



of the resolution graph G and the subgraph G" there is an edge in 
G' from a vertex v' in G' labeled with an eventuality clause d = 



(G((gi V...Vfe)V (F(0))) e C with eventuality literal I to v 

Hill 



Case 1.4. d"" is generated by augmentation 2 
introduces another occurrence of ^wl to be 



aug2 



= c. This 
Note that 



resolved away' 

in the main partition only new clauses are generated from existing ones 
with edges leading from existing vertices labeled with existing clauses 
to new vertices labeled with new clauses. Therefore, the main partition 
of G' is a finite directed acyclic graph, and this case cannot happen 
infinitely often. 

Case 1.5. d"" is generated by BFS loop search initialization 



BFS-ioop-it-init-x I. Impossible: the production rule 



BFS-lc 



copies a clause verbatim. I.e., it cannot be the case that c contains 
wl or Xrai, while the premise does not. 
Case 1.6. d"" is generated by BFS loop search initialization 
Impossible: the production rule 



BFS-loop-it-init-n 



BFS-loop-it-init-n 



copies and time-shifts a clause. I.e., it cannot be the case that c" 
contains XwZ, while the premise does not contain wl. 

is generated by BFS loop search 
Impossible: the production rule 



Case 1.7. c" 



initialization 



BFS-loop-it-init-c 



BFS-loop-it-init-c 



copies and time-shifts a clause from a previous BFS loop search 
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iteration (or initializes with the empty clause □) and disjoins with an 
eventuality literal XZ'. I.e., it cannot be the case that c'"" contains 
X.wl, while the premise does not contain wl. 
Case 1.8. v'"" is linked to via BFS loop search subsumption 
This case can be ignored as BFS loop search subsumption 



BFS-loop-it-sub 



BFS-loop-it-sub 



does not actually generate a clause but merely links existing ones. 



Case 1.9. c" 



BFS-loop-cc 



generated by BFS loop search 
Impossible: production rule 



conclusion 1 



BFS-lc 



clusionl 



copies all literals verbatim from a clause derived in loop search, copies 
all literals verbatim from an eventuality clause except for the eventuality 
literal I' prefixed by F, and disjoins with the eventuality literal I'. I.e., 
it cannot be the case that c'"" contains wl, while the premises do not. 
Case 1.10. c'"" is generated by BFS loop search conclusion 2 



BFS-loop-conclusion2 



BFS-loop-conclusion2 



Impossible: production rule 
copies and time-shifts all literals from a clause c""" derived in loop search 
and disjoins with —-wl' and XZ' for some eventuality literal V . I.e., it can- 
not be the case that d"" contains XwZ, while the premise c""" does not 
contain wl. 

'or 



Case 2. c is generated by augmentation 
of the production rules 



augl 



aug2 



augl 



and 



aug2 



augl 



as wl is assumed to be a fresh proposition in 
Case 3. d" is generated by BFS loop search initialization 
possible: the production rule 



. Impossible: the premise 
cannot contain either ^wl or X^wZ 
and 



aug2 



BFS-loop-it-init-x 



Im- 



BFS-loop-it-init-x 



copies a clause verbatim. I.e., 



it cannot be the case that c" contains ~^wl or X^wZ, while d" does not. 



Case 4. d" is generated by BFS loop search initialization BFS-ioop-it-init-n . Im- 



possible: the production rule 



BFS-loop-it-init-n 



copies and time-shifts a clause. 
I.e., it cannot be the case that c" contains ^wl, while d" does not contain 
X^uiZ. 

Case 5. d" is generated by BFS loop search initialization BFS-ioop-it-init-c |. Im- 
possible: the production rule 



BFS-loop-it-init-c 



copies and time-shifts a clause 
from a previous BFS loop search iteration (or initializes with the empty 
clause □) and disjoins with an eventuality literal XZ'. I.e., it cannot be the 
case that c" contains ~^wl, while d" does not contain X^wZ. 
Case 6. v" and v'" are linked via BFS loop search subsumption 
a time-shifted version of c" subsumes d" . Impossible: 



BFS-loop-it-sub 



i.e. 



BFS-loop-it-sub 



links from a clause with fewer literals to a clause with (modulo time-shifting) 
the same and more literals. I.e., it cannot be the case that c" contains -^wl, 
while d" does not contain X^wZ. 
Case 7. d" is generated by BFS loop search conclusion 1 BFS-ioop -conclusionl . 
Impossible: production rule BFS-ioop-conciusioni I copies all literals verbatim 
from a clause derived in loop search, copies all literals verbatim from an 
eventuality clause except for the eventuality literal Z' prefixed by F, and 
disjoins with the eventuality literal V . I.e., it cannot be the case that c" 
contains -^wl, while d" does not. 
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Case 8. d" is generated by BFS loop search conclusion 2 BFS-loop-conciusion2 . 



Impossible: production rule BFS-ioop-conciusion2 copies and time-shifts all lit- 
erals from a clause derived in loop search and disjoins with ->wl' and X/' for 
some eventuality literal V . I.e., it cannot be the case that c" contains ->wl, 
while d" does not contain X-wZ. 

Notice that the only possible cases are case 1.3 and 1.4. Of those, case 1.4 can 
only happen a finite number of times and must be followed by an occurrence of 
case 1.3. This concludes the proof. 

Lemma 2. Let C be a set of SNF clauses to which Alg. 1 has been applied and 
shown unsatisfiability, let G be the resolution graph constructed, and let G' be 
the subgraph according to Def. 2. Let v be a vertex in G' labeled with a clause c — 
(G((-iwl) V (X((<7i V . . . V q n i) V /)))) generated by BFS loop search conclusion 2 
BFS-ioop-conciusion2 from some eventuality clause (G((pi V ... V p n ) V (F(Z)))) G 
C with eventuality literal I (and some other clause). Then there is a vertex v" 
in G' labeled with an eventuality clause c" = (G((ri V ... V r n ») V (F(Z)))) G C 
with eventuality literal I. 

Proof. Analogous to the proof of Lemma 1. 

Lemma 3. Let C be a set of SNF clauses to which Alg. 1 has been applied 
and shown unsatisfiability, let G be the resolution graph, and let G' be the sub- 
graph according to Def. 2. Let v be a vertex in G' labeled with a clause c = 
(G((0) V (X(gi V . . . V q n i V I)))) generated by production rule BFS-ioop-u-init-c 



from some eventuality clause (G((pi V ... V p n ) V (F(Z)))) G C with eventuality 
literal I (and some other clause). Then there is a vertex v" in G' labeled with 
an eventuality clause c" = (G((ri V ... V r n ») V (F(Z)))) G C with eventuality 
literal I. 

Proof. By construction of the resolution graph G (Def. 1) and its subgraph 
G' (Def. 2) v is included in G' only if G' also includes some vertex v' labeled 
with some clause d such that d was generated by BFS loop search conclusion 
or 



BFS-loop-conclusionl 

which c is part. 



BFS-loop-conclusion 2 from the BFS loop search iteration of 



Case 1. d is generated by BFS loop search conclusion 1 BFS-ioop-conciusioni 
The claim follows from the construction of the resolution graph G and its 
subgraph G' . By Def. 1 v' has an incoming edge from a vertex v" labeled with 
an eventuality clause c" = (G((n V ... V r n «) V (F(Z)))) G C with eventual- 
ity literal I and by Def. 2 v" is included in G' if v' is included. 



Case 2. d is generated by BFS loop search conclusion 2 BFS-ioo P -conciusion2 . In 
that case the claim follows directly from Lemma 2. 

Theorem 1 (Unsatisfiability of UC in SNF). Let C be a set of SNF clauses 
to which Alg. 1 has been applied and shown unsatisfiability, and let C uc be the 
UC ofC in SNF. Then C uc is unsat. 
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Proof. Assume for a moment that in columns 8 {p.l - c) and 9 {p. 2 - c) of Tab. 1 
all X are replaced with i/, i.e., that each conclusion in the resolution graph is 
connected by an edge to each of its premises rather than only to a subset of 
them. In that case the UC in SNF according to Def. 2 would contain all clauses 
of the set of starting clauses C that contributed to deriving the empty clause 
and, hence, to establishing unsatisfiability of C. In that case it would follow 
directly from the correctness of TR that C uc is unsatisfiablc. 

It remains to show that 1. not including an edge from premise 1 to the con- 
clusion for rule aug2 , 2. not including an edge from premise 2 to the conclusion 
for rule BFS-ioop-conciusion2 , 3. not including an edge from premise 2 to the con- 

and 4. not including an edge from premise 1 
in the resolution graph G maintains 



BFS-loop-it-init-c 



BFS-loop-it-init-c 



is unsatisfiable. Items 1.-3. are addressed by 



elusion for rule 
to the conclusion for rule 
the fact that the resulting C 
Lemmas 1, 2, and 3. 

We now address item 4. Notice that this case essentially corresponds to con- 
sidering only the last iteration of a successful loop search to obtain the UC C uc . 
After initialization of a loop search iteration in line 11 of Alg. 1 L contains three 
sets of clauses according to the three production rules for initializing a loop 
search iteration. Clauses generated by 



BFS-loop-it-init-x 



and 



BFS-loop-it-init-n 



arc 



(partly time-shifted) duplicates of clauses derived so far in the main partition. 
BFS-ioop-it-init-c generates a set of clauses (G((0) V (X(p^i V ... V p^ ni V I)))). 

in line 12 derives an- 

l V. ' 



From these three sets saturation restricted to rule step- 
other set of clauses (G(g, 
to rule 



stcp-xx 



V Qi',n'i>))- Taking the restriction of saturation 
into account, that loop search iteration has established that, 



assuming C, the following fact is provable: 

G(( /\ (X(R,iV...Vp i ,n i Vi)))H 



( A (* 

Ki'<n' 



■V <&/,„/.,))) (10) 



Moreover, if subsumption in line 15 succeeds, the following fact is also provable: 



A ( V 

l<i<n Ki'<r 



(G((fc/,i V ... V &',„'.,) -> (pi,l v ... V pi, ni )))) 



(11) 



We rewrite (10) and (11) as follows: 

■ v Pi — V !))) 



G(( /\ (XOi,! 

Ki<n 



( A 



«»G( a 

l<i'<: 

« A 

« A 

* A 

* A 

l<i'<i 

* A 



(( A 

' Ki<7 



(X( Pi 



• Vk,„ 4 v 0)) -y (?,' 



(G(( A (X(p,,iV...Vp,,„ i Vl)))^(9,, 



■ V ? 4 / 



■ V q v 



,))) 



,))) 



,))) 



(G(H ?( , il v...v 5i , _,.,)) 



(G(H9 i /,iV...V g(V .,)) 



(G[(- 1 (, ( , il V...V} i ,y.,)) 



(-( A 

Ki<> 



(x( Piil v . . . v P «, n . v 0))))) 



l<!<n 



VPi^Vl)))))) 



(G«n(, j , il V...V gi , i0 ,.,)) 



( \/ (X((-(P«,lV...V Pi ,„ < ))AH)))))) 

l<i<n 

((X-i)A( \/ ( X Hl>M V...V Pi , nj ))))))) (12) 
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/\ ( \J (G((?,MV...V g ,.,, v )4( P , ! iV...Vp,,„,)))) 

1 < i < n 1 < i. ' < n 1 

A ( V ( G ((-(PMV...Vp,,»,))^(.( 9lM V...V< i , Ii „,,))))) (13) 

l<i<n l<i'<n' 

Putting (12) and (13) together, we obtain (14), which is exactly the premise 
required to perform eventuality resolution with an eventuality clause with even- 
tuality literal I [FDP01]: 

(6((«yV...Vv,)V(XG--l))) 

(14) 

(G((v,iV...V V y„,)v(XGnI))) 
This concludes the proof. 

Proposition 1 (Complexity of UC Extraction). Let C be a set of SNF 

clauses to which Alg. 1 is applied and shows wnsatisfiability. Construction and 
backward traversal of the resolution graph and, hence, construction of C uc ac- 
cording to Def. 2 can be performed in time 0(\V\) in addition to the time required 
to run Alg. 1. \V\ is at most exponential in \AP\ + log(\C\). 

Proof. Notice that each vertex in G has at most 2 incoming edges. Hence, con- 
struction of G and backward traversal of G from the unique vertex in the main 
partition labeled with the empty clause, va, can be performed in time 0(|V|). 
For a proof of \AP\ + log(\C\) see the following reasoning: 

1. In an initial clause a proposition can be not present, present, or present 
negated. Hence, the number of different initial clauses is 0(3'^'). 

2. In a global clause a proposition can be one of not present, present, or present 
negated; and prefixed by X not present, present, or present negated. Hence, 
the number of different global clauses is 0(9' AP '). 

3. The number of clauses in the main partition is bounded by \C\ + C(3'" 4P ') + 
0(9l^l) = 0(|C|+9l Ap l). 

4. The number of clauses in a partition for a BFS loop search iteration is 
bounded by 0(9^1). 

5. The number of partitions is bounded by 1 plus the number of BFS loop 
search iterations. 

6. The number of iterations in a BFS loop search is bounded by the length of 
the longest monotonically increasing sequence of Boolean formulas over AP, 
which is C(2l Ap l). See also [Dix98]. 

7. The number of BFS loop searches is bounded by the number of different 
clauses that can be the result of a BFS loop search. The number of dif- 
ferent clauses that can be the consequence of BFS loop search conclusion 1 

is bounded by the number of different global clauses with 



BFS-loop- conclusion! 



empty next part, which is C(3' j4p '). The number of different clauses that can 
be the consequence of BFS loop search conclusion 2 bfs-1oo P -conclusion2 IS 
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bounded by the number of different eventuality literals times the number of 
different global clauses with empty next part, which is 0(|C| • S'" 4 ^). Hence, 
the number of BFS loop sear ches is bounded by 0(\C\ ■ 3l Ap l). 
8. Taking all of the above into account, the number of clauses is bounded by 
0(\C\ + 9^ p l + \C\ • 3l Ap l • 2\ Ap \ • 9l Ap l) = 0{\C\ • 54l Ap l). 

This concludes the proof. 



C Proofs: 5 From LTL to SNF and Back 

Theorem 2 (Unsatisfiability of UC in LTL). Let cf> be an unsatisfiable LTL 
formula, and let (j) uc be the UC of <p in LTL. Then <p uc is unsat. 

Proof. Let SNF(<j>) be the SNF of <j>, and let C uc be the UC of SNF(<jy) in SNF. 

First, consider the trivial case that <f> is 0. Here, Def. 4 results in the UC of 
4> in LTL being <fi uc = as desired. 

Now assume that <j> is n °t 0j i- e -; the si ze of the syntax tree of <f> is greater 
than 1. Let SNF(cj) uc ) be the SNF of 4> uc . In order to prove that 4> uc is unsat we 
show that the clauses of C uc (which is unsat) are a subset of the SNF of <fi uc : 
C uc C SNF{(j) uc ). 

By comparing the clauses of SNF(<j)) with those of SNF(<j) uc ) we can par- 
tition the clauses of SNF(4>) into 3 sets: 2 1. Some clauses are present in both 
SNF (<f>) and SNF(4> UC ): C\ = SNF(<f>) H SNF((j) uc ). 2. Some clauses are present 
in SNF ((f)) and are present in SNF(4> UC ) with one or more occurrences of some 
propositions x, x', . . . that are marked I blue boxed in Tab. 2 replaced with 1 or 0. 
Call that set C" 2 . 3. Some clauses are present in SNF(<p) but not in SNF(<j) uc ): 
C" 3 = SNF(4>) \ (SNF(4> UC ) U C' a ). 

By Def. 2 C uc is a subset of SNF ((f): C uc C SNF(4>). By Def. 4 C uc contains 
no member of C i\ otherwise, there could not be one or more occurrences of 
some propositions x, x', . . . that are marked blue boxed in Tab. 2 replaced with 
1 or in the clauses of C C uc n C i — 0. Now we argue that C uc also contains 
no member of C'3. First, let c € C3 be an initial or a global clause, c cannot be 
a member of C uc as, in order to be part of a proof that derives the empty clause, 
all literals of c need to be "resolved away". However, this is not possible for c 
as for the literal (~^)x^ on the left side of the implication in Tab. 2 there is no 
clause with an opposite literal in C uc . This follows by induction on the nesting 
depth of the subformula tp to which (—i)x^ belongs from the occurrence of the 
superformula of ip that has been replaced with 1 or in 4> uc . Now let c £ C'3 
be an eventuality clause. By Def. 1, 2 for such c to be part of C uc there would 
d in the resolution graph G according to Def. 1 that was 



generated by production rules augi or BFS-ioop-conciusioni and that is backward 
reachable in G from the vertex labeled with the empty clause □ in the main 
partition M, v a . Again, for the latter to happen, all literals of d would have 
to be "resolved away", which is impossible by a similar inductive argument as 



We disregard the issue of the indices of the variables x, x', ■ 
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before. Hence, we have shown that all clauses in C uc come from C'\, which is a 
subset of SNF((j) uc ). This concludes the proof. 



2G 



D Additional Plots 



Figures 3 and 4 show the overhead that is incurred and the size reduction that 
is obtained by extracting UCs split by category. 
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Fig. 3. Overhead incurred by UC extraction in terms of run time (in seconds) and 
memory (in GB) separated by categories application, crafted, and random. In each 
graph extraction of UCs is on the y-axis and no UC extraction on the x-axis. The 
off-center diagonal shows where y = 2x. 
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Fig. 4. Size reduction obtained by UC extraction separated by categories application, 
crafted, and random. The y-axes show the sizes of the UCs, the x-axes show the sizes 
of the input formulas. Size is measured as the number of nodes in the syntax trees. 
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